HHS Provides Tips For Strengthening Cyber Posture in Healthcare

June 17, 2022 - The HHS Health Sector Cybersecurity Coordination Center (HC3) issued a brief with tips for strengthening cyber posture in healthcare.

HC3 defined cyber posture as “the overall strength of an organization’s cybersecurity, protocols for predicting and preventing cyber threats, and the ability to act as well as respond during and after an attack.”

Having technical, physical, and administrative safeguards in place to shield protected health information (PHI) is required by HIPAA. Even so, a strong cyber posture is more than just checking a box for compliance purposes.

Having a robust cybersecurity program can prevent fraud and cyber espionage while improving customer confidence and protecting data from unauthorized access or loss, HC3 noted.

HC3 encouraged healthcare organizations to take the following steps to strengthen their cyber posture:

• Conduct regular security posture assessments
• Consistently monitor networks and software for vulnerabilities
• Define which department owns what risks and assign managers to specific risks
• Regularly analyze gaps in your security controls
• Define a few key security metrics
• Create an incident response plan and a disaster recovery plan

The center also directed healthcare organizations to the Cybersecurity and Infrastructure Security Agency’s (CISA) “CISA Insights,” which contains numerous cybersecurity best practices. CISA recommends that organizations validate all authorized remote access, ensure that software is up to date, and implement strong controls on cloud services.

If organizations detect a cyber intrusion, cybersecurity personnel should enable logging, quickly identify unusual behavior, and confirm that the network is protected by antivirus software. A designated crisis-response team should already be established to take on legal, communications, business continuity, and IT roles and responsibilities.

Cyber resilience is also a crucial component of a strong cyber posture. Achieving cyber resilience requires organizations to test backup procedures so critical data can be quickly restored in the event of a cyber incident.

“If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted,” the brief also stated.

HC3 also stressed the importance of a security risk assessment, which can help organizations quantify risk, determine the likelihood of exploitation, and identify vulnerabilities and threat sources. The Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) recently released version 3.3 of the HHS Security Risk Assessment (SRA) Tool, which can help organizations navigate this process.

In addition to being compliant with the law, organizations within the health sector should strive to do their best to stick to the mission of protecting patient data and sensitive information in our network from malicious threat actors,” the brief concluded.